Between February 12, 2018 and April 8, 2018, Radically Open Security B.V. carried out a code audit for Open Tech Fund

This report contains our findings as well as detailed explanations of exactly
how ROS performed the code audit.

1.2

Scope of work

The scope of the penetration test was limited to the following target:

•

F-droid Client

•

F-droid Privileged Extension

•

F-droid Repomaker

•

F-droid Server

•

F-droid Website

1.3

Project objectives

The project objective was to identify vulnerabilities in Fdroid web application and mobile app. This was to be achieved by performing code audit and pen-test of Fdroid app hosting server application, the Fdroid app for browsing and downloading apps from Fdroid repositories, and code to create and register app repositories as part of Fdroid community.

1.4

Timeline

The Security Audit took place between Febuary 12 and April 8, 2018.

1.5

Results In A Nutshell

In all, we report 10 high impact, 18 moderate impact and 10 low impact issues during the course of the code audit and pen-test.

Some limited impact issues have been found in the code audit of repomaker. Some high impact code execution and infoleak issues have been found in fdroidserver which allow an adversary to run code in the host running fdroidserver and the users browsers visiting fdroid.org.

Potentially significant impact issues have been found during the Fdroid client code review, ranging from unverified trust through use of TOFU to insecure communication leading to MiTM.

During the pen-test, the request-swap functionality of the app potentially allows mailicious requests/messages to be accepted, and also redirect users to malicious sites. In addition, weaknesses in cryptography usage and potential for MiTM was discovered.

Attacker controlled URLs can be used first to run a regular expression on a local file, then depending on a match of the expression a second URL can be accessed or not. This can be used to leak information from the fdroid host.

XML file parsing can be used to exhaust resources (RAM) when entity parsing is abused for the Billion Laughs and Quadratic Blowup attacks. In fdroidserver there is a couple of places where such can happen.

Unsafe use of the DatalistTextInput can lead to javascript injection in Repomaker. However this widget is currently only used to select predefined list of languages. However if in the future this widget is used to render unsanitized user input it can be easily exploited.

The dangerous python module pickle is being used to store and load a cache. On its own this is not exploitable, but when an attacker has can write files, then this can be escalated into a code execution vulnerability.

All external programs that are called by fdroidserver depend on the correct executable to be first found in the $PATH environment variable. If an attacker is able to place their own executable on a path before the legit executable that can lead to adversarial code execution.

The application should validate the message being shown to the user and its origin. Also accepting any message or domain from a user and redirecting the user to a different domain is a very insecure implementation. The users should not be redirected to any domain given by the other user. A validation of this parameter is also needed to be implemented.

Only allow certain types of files to be transmitted (whitelisting) if possible.
Limit the size of file to be transmitted, and warn the user for large files.
The issue should be fixed in the parent class, and the subclasses should perform some content type check, to avoid malicious file/app installation on the victim device.

An out of band key sharing mechanism, such as sharing a password protected file over insecure RFComm socket, containing a symmetric encryption key, can be used to exchange keys between untrusted devices, instead of TOFU.

An out of band key sharing mechanism, such as sharing a password protected file over insecure RFComm socket, containing a symmetric encryption key, can be used to exchange keys between untrusted devices, instead of TOFU.

On finding that the output file exists, the function should return error and let higher level code handle the error. Alternatively, the code should add a random suffix to the output file name if the specified file exists.

FILE class in Java allows creation of subdirs, and setting specific permissions on created files. It is recommended to create the temp files within app specific subdirectory, for example "Fdroid" under global tmp folder. This subfolder can be created with restricted permissions for owner only, to create other temporary files with restricted permissions within this app-specific folder.

It is recommended to never use the unvalidated user input inside a SQL query and execute it. The best way to make sure adversaries will not be able to inject unsolicited SQL syntax into your queries is to avoid using SQLiteDatabase.rawQuery() instead opting for a parameterized statement.

Regular expression pattern should be strengthened to not allow special characters such as semi colon, pipe, quotes etc. to avoid OS command injection attacks.

1.8

Charts

1.8.1

Findings by Threat Level

See pdf version.

1.8.2

Findings by Type

See pdf version.

Executive Summary •

2

Methodology

2.1

Planning

Our general approach during this code audit was as follows:

1.

Scanning

Through the use of vulnerability scanners, all sources were be tested
for vulnerabilities. The result would be analyzed to determine if there any
vulnerabilities that could be exploited to gain access to a target host on a
network.

2.

Grepping

The source code has been grepped for various expressions identifying sources of interest.

3.

Source code reading

The either all of the source code or only portions identified by Scanning and Grepping were being analyzed for possible vulnerabilities.

Our general approach during this penetration test was as follows:

1.

Reconnaissance

We attempted to gather as much information as possible about the
target. Reconnaissance can take two forms: active and passive. A
passive attack is always the best starting point as this would normally defeat
intrusion detection systems and other forms of protection, etc., afforded to the
network. This would usually involve trying to discover publicly available
information by utilizing a web browser and visiting newsgroups etc. An active form
would be more intrusive and may show up in audit logs and may take the form of a
social engineering type of attack.

2.

Enumeration

We used varied operating system fingerprinting tools to determine
what hosts are alive on the network and more importantly what services and operating
systems they are running. Research into these services would be carried out to
tailor the test to the discovered services.

3.

Scanning

Through the use of vulnerability scanners, all discovered hosts would be tested
for vulnerabilities. The result would be analyzed to determine if there any
vulnerabilities that could be exploited to gain access to a target host on a
network.

4.

Obtaining Access

Through the use of published exploits or weaknesses found in
applications, operating system and services access would then be attempted. This may
be done surreptitiously or by more brute force methods.

2.2

Risk Classification

Throughout the document, each vulnerability or risk identified has been labeled and
categorized as:

•

Extreme

Extreme risk of security controls being compromised with the possibility
of catastrophic financial/reputational losses occurring as a result.

•

High

High risk of security controls being compromised with the potential for
significant financial/reputational losses occurring as a result.

•

Elevated

Elevated risk of security controls being compromised with the potential
for material financial/reputational losses occurring as a result.

•

Moderate

Moderate risk of security controls being compromised with the potential
for limited financial/reputational losses occurring as a result.

•

Low

Low risk of security controls being compromised with measurable negative
impacts as a result.

Please note that this risk rating system was taken from the Penetration Testing Execution
Standard (PTES). For more information, see:
http://www.pentest-standard.org/index.php/Reporting.

Methodology •

3

Automated Code Scans

Automated code scans were used to obtain preliminary reports, which were analysed for false positive issues. Some of the reported findings are from these scan reports.

3.1

Automated Scan Tools

As part of our static code scanning, we used the following automated
scan tools:

Attacker controlled URLs can be used first to run a regular expression on a local file, then depending on a match of the expression a second URL can be accessed or not. This can be used to leak information from the fdroid host.

Technical description:

The python module urllib.request supports also file: and custom schemes. This allows us to craft an apk which can test for certain things on the local filesystem, and depending on matches calls a second URL controlled by the attacker.

excerpt from checkupdates.py:50:

urlcode, codeex, urlver, verex = app.UpdateCheckData.split('|')

If we construct the field UpdateCheckData in such a way, that urlcode is for example file:///etc/passwd, and codeex becomes: '^a[^:]*:x:(1000)' /etc/passwd, urlver is for example pointing to an attacker controlled domain: https://attacker.com/startswitha, and verex is something that matches in the result. Then depending on the match of codeex decides if the attacker controlled URL is retrieved or not leaking information about the default username in this example. With further such packages it is possible to recover the username, and possibly also the secret ssh key of this user for example.

The verifySigningCertificate() function allows non-verified (and non-verifiable) new certificate into the DB. This code applies the TOFU - trust on first use.

Trust On First Use is useful to establish initial contact where apriori shared key is not available - or can not be available. This works ok if a user is prompted to decide whether presented key is to be trusted. For example, the first SSH connection from a client to a server prompts the user whether the certificate presented by the server is trusted.

In case of fdroid app, it appears that the TOFU key is trusted without prompt to user. The TOFU key appears to be persisted in the the repo database thus making the TOFU key permanently trusted.

The TOFU process is a bit more convoluted than it should be, that's for sure. The TOFU prompt is the "Add Repos" prompt, where the fingerprint can either be included from clicking a URL that includes it, like https://guardianproject.info/fdroid/repo?fingerprint=B7C2EEFD8DAC7806AF67DFCD92EB18126BC08312A7F2D6F3862E46013C7A6135 or by manually typing it in.

If there is no fingerprint provided, then yes, the first signing key seen by F-Droid will be the one that it trusted. We decided that if the user hasn't already provided it, then another prompt won't make that more likely.

The request to http://[client IP]:8888/request-swap is vulnerable as it can be sent by any user, to the client's device. This can be used to show malicious messages and also redirect users.

Technical description:

While a user is using Nearby Swap feature on the application, it is possible to send the request to [http://[client](http://%5Bclient) IP]:8888/request-swap with any message. This message will be shown to the user as if it is being sent by fdroid application.

Exploiting the request to redirect users

Send the below request to the user's device and if the user will follow "Yes" prompt, he/she will be redirected to the provided domain.

The user will get redirected to attacker.com if he/she selects the Yes to prompt.

Impact:

This vulnerability may allow an attacker to show any message on the user's device, looking like fdroid's message. With a bit more user interaction, attacker can even redirect the mobile application user to a website of his own.

Recommendation:

The application should validate the message being shown to the user and its origin. Also accepting any message or domain from a user and redirecting the user to a different domain is a very insecure implementation. The users should not be redirected to any domain given by the other user. A validation of this parameter is also needed to be implemented.

OTF-012 — Key Alias Collisions Can Lead to DoS of Publishing in Fdroidserver

Vulnerability ID: OTF-012

Vulnerability type: Denial of Service

Threat level: Moderate

Description:

By submitting an app to fdroid with a crafted appid it is possible to deny the publishing of new apps to fdroid.

Technical description:

The function key_alias() calculates the key_alias from the appid by hashing it with MD5 and taking the first 8 digits of the hex representation of this hash: md5.hexlify()[:8]. This is 32bits, but due to the birthday paradox collisions are reasonably cheap to calculate.

In the main() function there is a check for collisions of key aliases, if there is any, the publish script aborts. There is a comment refering to a previous audit stating that chances are neglible of encountering a collision.

We produced two PoC scripts, both use as input an english wordlist (taken from debian /usr/share/dict/words) removing all lines that end in "'s", resulting in a list with 73333 english words.

In PoC-1 (collidemd5-4.py) we generate random english words into appids as long as there is no collision. After approximately 9000 samples we find that it takes about 113.930 random appids until there is a collision.

In PoC-2 we adjust our sampling by taking into account that there are currently about 1500 apps in fdroid, and we try to create a collision with one of these 1500 items. After 1355 samples it takes an average 2.925.625 attempts to collide with one of the 1500 target hashes.

This shows it is feasible to create a collision and create a DoS against the publishing process.

Notable also is that the key_alias() function does allow for overriding the key alias, but the check in the main() function does not take that into account.

publish.py:186 (main())):

# It was suggested at
# https://dev.guardianproject.info/projects/bazaar/wiki/FDroid_Audit
# that a package could be crafted, such that it would use the same signing
# key as an existing app. While it may be theoretically possible for such a
# colliding package ID to be generated, it seems virtually impossible that
# the colliding ID would be something that would be a) a valid package ID,
# and b) a sane-looking ID that would make its way into the repo.
# Nonetheless, to be sure, before publishing we check that there are no
# collisions, and refuse to do any publishing if that's the case...
allapps = metadata.read_metadata()
vercodes = common.read_pkg_args(options.appid, True)
allaliases = []
for appid in allapps:
m = hashlib.md5()
m.update(appid.encode('utf-8'))
keyalias = m.hexdigest()[:8]
if keyalias in allaliases:
logging.error(_("There is a keyalias collision - publishing halted"))
sys.exit(1)
allaliases.append(keyalias)

Impact:

Moderate: Denial of Service

Recommendation:

Either use longer ids, or don't make the ids depending on user input.

4.1.13

OTF-013 — Image Bomb Can Lead to DoS in Fdroidserver:update.py

Vulnerability ID: OTF-013

Vulnerability type: Denial of Service

Threat level: Moderate

Description:

Maliciously crafted images can lead to resource exhaustion in fdroidserver.

Technical description:

A crafted image can fill up the RAM and harddisk of fdroidserver _strip_and_copy_image() (resize_icon() might also be affected)

XML file parsing can be used to exhaust resources (RAM) when entity parsing is abused for the Billion Laughs and Quadratic Blowup attacks. In fdroidserver there is a couple of places where such can happen.

Technical description:

Fdroidserver uses the python modules xml.dom.minidom, xml.etree.ElementTree and lxml. All of these are vulnerable to both "quadratic blowup" and "billion laughs" attacks.

Moderate: Availability can be restricted due to Denial of Service attacks

Recommendation:

Replace these with its defusedxml equivalent function or - only applicable to xml.* modules - make sure defusedxml.defuse_stdlib() is called.

4.1.16

OTF-016 — Missing file type and size validation

Vulnerability ID: OTF-016

Vulnerability type: Arbitrary file download

Threat level: Moderate

Description:

Download File Type and Size Are Not Verified

Technical description:

Affected files are Files net/BluetoothDownloader.java and other derived classes in localFileDownloader.java, httpDownLoader.java, imageDownLoader.Java, and its super class Downloader.java

The download activity using WiFi or Bluetooth downloader classes does not check for type of file, or file size. This is intended for apk file sharing between trusted devices.

Developer comments: The install process requires that the hash of the received file matches that in the signed index.jar. So for the exploit to install a malicious APK, the index.jar must also be compromised. The fdroid install process first validates the sha256 against what is in the signed _index.jar_, so after the download process, all files are verified the download process puts the files into a private dir, so the user cannot install them manually after download, only via _fdroidclient

Impact:

Arbitrary, potentially malicious, file can be downloaded into an unsuspecting user's device. This may allow an attacker to activate a different exploit vector.

Recommendation:

Only allow certain types of files to be transmitted (whitelisting) if possible.

Limit the size of file to be transmitted, and warn the user for large files.

The issue should be fixed in the parent class, and the subclasses should perform some content type check, to avoid malicious file/app installation on the victim device.

Developer response: Ideally, F-Droid would always use encrypted connections, but with the p2p we have found that it made it a lot harder to make the exchange. We rely on a TOFUed signing key on the index.jar to provide the integrity check. We went with unencrypted HTTP and Bluetooth to increase the likelihood that things would work.

ROS response: Sharing a password protected file over insecure RFComm socket, containing a symmetric encryption key, can be used to exchange keys between untrusted devices.

Impact:

Integrity of communication is compromised, leading to arbitrary app installation and device compromise.

Recommendation:

An out of band key sharing mechanism, such as sharing a password protected file over insecure RFComm socket, containing a symmetric encryption key, can be used to exchange keys between untrusted devices, instead of TOFU.

Integrity of communication is compromised, leading to arbitrary app installation and device compromise.

Recommendation:

An out of band key sharing mechanism, such as sharing a password protected file over insecure RFComm socket, containing a symmetric encryption key, can be used to exchange keys between untrusted devices, instead of TOFU.

4.1.19

OTF-019 — Potential SQL Injection

Vulnerability ID: OTF-019

Vulnerability type: SQL Injection

Threat level: Moderate

Description:

Concatenation of strings, some of which are under attacker c.ontrol, is used to form DB queries.

Technical description:

Several functions in data subdirectory code use string concatenated query building to do DB operations on package name and other package supplied or repo supplied parameters.

Response from developer: yeah, these should be tightened so we don't have to trust the server.

Impact:

Corruption in device based DB leading to device compromise

Recommendation:

Use prepared statements for DB query preparation.

Validate the strings with white listing before using in SQL query.

4.1.20

OTF-020 — Unverified URI redirect

Vulnerability ID: OTF-020

Vulnerability type: URI redirect

Threat level: Moderate

Description:

App Uses Data From Clipboard for external resource link.

Technical description:

In file ManageReposActivity.java, when AddRepo action is selected, the public method onOptionsItemSelected() at line 148 calls showAddRepo(), which appears to load an http://<> url from clipboard if the clipboard contents look like a URL.

It may be possible for another application to populate the clipboard with malicious URL.

On finding that the output file exists, the function should return error and let higher level code handle the error. Alternatively, the code should add a random suffix to the output file name if the specified file exists.

4.1.22

OTF-022 — Secure Temp File Usage Recommended

Vulnerability ID: OTF-022

Vulnerability type: Insecure temp file

Threat level: Moderate

Description:

nanohttpd.java uses insecure temp files

Technical description:

nanohttpd.java

nanohttpd uses java.io.tmpdir system property as the folder to create temp files. It is recommended that secure temp files should only be created within a subfolder of a public, systemwide temp directory.

576: tmpdir = System.getProperty("java.io.tmpdir");

At several places in the code, the temp files in "tmpdir" are created with random string with NanoHTTPD- prefix, making the temp file usage somewhat secure.

FILE class in Java allows creation of subdirs, and setting specific permissions on created files. It is recommended to create the temp files within app specific subdirectory, for example "Fdroid" under global tmp folder. This subfolder can be created with restricted permissions for owner only, to create other temporary files with restricted permissions within this app-specific folder.

4.1.23

OTF-023 — (fdroidclient) App Is Signed With `SHA1withRSA`, Known to Have Collision Issues

Vulnerability ID: OTF-023

Vulnerability type: Cryptography

Threat level: Moderate

Description:

The application was found to be signed with a SHA1withRSA, which is known to have collision issues.

Technical description:

SHA1 with RSA has known collision issues, hence it is not recommended to be used for signing new apps.

Note: If you use SHA256, the app will no longer work on android devices < 4.3. This means that builds made with the new cert system will create APK files that may not install on some Android 4.0-4.2 devices.

It is recommended to never use the unvalidated user input inside a SQL query and execute it. The best way to make sure adversaries will not be able to inject unsolicited SQL syntax into your queries is to avoid using SQLiteDatabase.rawQuery() instead opting for a parameterized statement.

It is possible to exploit the Nearby swap feature of fdroid application and access the Android device's application directory. This can also be used to download files from the device, without any authorization.

Recommendation:

The way the feature has been implemented is prone to different attacks. It is suggested to not directly open a web server and allow everyone to access. Some authentication should be applied.

4.1.26

OTF-026 — (fdroid Client) Insecure Implementation of SSL

Vulnerability ID: OTF-026

Vulnerability type: Transport Layer Security

Threat level: Moderate

Description:

Trusting all the certificates or accepting self-signed certificates is a critical Security Hole. This application is vulnerable to MITM attacks.

Technical description:

The application trusts and accepts any SSL certificate and self-signed certificate.
This allows an attacker to capture the application's traffic in a proxy and perform MITM attacks.

The application's code in the file TlsOnlySocketFactory.java shows that the application trusts and accepts any SSL certificate.
It is possible to install an SSL certificate on a device and run the application to capture its traffic on the proxy.

Impact:

This vulnerability makes the application susceptible to man in the middle attacks.

Recommendation:

A better security practice is to include an SSL certificate inside the application build.
Then check and trust only that certificate at runtime. This is known as SSL pinning.

SHA1withRSA, which is known to have collision issues, has been used to sign the application package.

Technical description:

SHA1 was used by default in APK signing for a few years. A attacker might be able to create an APK with his/her malicious code,
and identical SHA1 digest of your genuine files. Devices that had previous version will consider the crafted APK to be signed by your certificate,
and issue no warning when installing it.

Note: If you use SHA256, the app will no longer work on android devices < 4.3. This means that builds made with the new cert system will create APK files that may not install on some Android 4.0-4.2 devices.

Insufficient checking of file types can lead to upload of malicious code.

Technical description:

In ../code/repomaker/repomaker/models/apk.py:183 the code checks for mime-types using file(1) mechanisms, but fails to enforce extension matching with the file type. Simple polyglot files can be stored in the repo matching video/audio/image mime class, yet containing scripts used in later stages of attacks.

Furthermore if .py is not allowed in the same function in line 198, then .pyc and .pyo should also be forbidden:

Low: Staging of malicious code, needs another vulnerability to trigger

Recommendation:

Check if the mime type matches the extension.

Use a white-list instead of a blacklist of extensions.

4.1.30

OTF-030 — Unsafe HTML Rendering of Arbitrary Input

Vulnerability ID: OTF-030

Vulnerability type: Code Execution

Threat level: Low

Description:

Unsafe use of the DatalistTextInput can lead to javascript injection in Repomaker. However this widget is currently only used to select predefined list of languages. However if in the future this widget is used to render unsanitized user input it can be easily exploited.

Technical description:

In ../code/repomaker/repomaker/views/init.py the DataListTextInput render() function could be used to inject javascript:

The dangerous python module pickle is being used to store and load a cache. On its own this is not exploitable, but when an attacker has can write files, then this can be escalated into a code execution vulnerability.

Technical description:

update.py uses the dangerous pickle module in get_cache(). Although it is only written by write_cache(), if an attacker has a write file primitive it is possible to achieve code execution on the target.

Low: needs a write files vulnerability to escalate into a code execution vulnerability

Recommendation:

Avoid the usage of the python pickle module

4.1.32

OTF-032 — Starting a Process With a Partial Executable Path

Vulnerability ID: OTF-032

Vulnerability type: Execution without path

Threat level: Low

Description:

All external programs that are called by fdroidserver depend on the correct executable to be first found in the $PATH environment variable. If an attacker is able to place their own executable on a path before the legit executable that can lead to adversarial code execution.

Technical description:

fdroidserver calls external executables without a path. This is an

issue in case an attacker can write an executable on a $PATH before the

This is similar to the code injection in drozer.py. However this is probably confined to the build VM and thus not significant, as the (maven,gradle, etc) buildscripts also have inherently code execution capabilities.

Impact:

Low: This is confined to the build VM, in which the build scripts have code execution anyway.

Recommendation:

Validate appids.

4.1.34

OTF-034 — Missing file type and size validation

Vulnerability ID: OTF-034

Vulnerability type: Arbitrary file in response

Threat level: Low

Description:

BluetootheServer.java: File included in Response Without Size or Type Check

Malicious file may be injected into an unsuspecting user's device, enabling attacker to exploit another vector.

Recommendation:

Only allow certain types of files to be transmitted (whitelisting) if possible.

Limit the size of file to be transmitted, and warn the user for large files.

4.1.35

OTF-035 — Hardcoded root CA keys

Vulnerability ID: OTF-035

Vulnerability type: Hardcoded keys

Threat level: Low

Description:

No Mechanism to Remove hardcoded Root CA Keys

Technical description:

In file fdroid/FDroidCertPins.java, the class FDroidCertPins defines default pinned root CA, and uses it for initialization, but does not provide a run-time removal of the keys. The only way to remove a root CA key is to build a new Fdroid client with modified list of keys.

Impact:

Data integrity compromise using older keys which may have expired or revoked.

Recommendation:

Provide key revocation list check. Alternatively, list the root CA keys in a separate file which can be updated independently.

Response from developer:lol, yup, ROT13 is just meant to "dissuade" people from trying to get those keys.

Impact:

False sense of security

Recommendation:

If the data being protected is sensitive, stronger encryption methods should be used.

4.1.37

OTF-037 — Untrusted External Links

Vulnerability ID: OTF-037

Vulnerability type: Unverified remote resources

Threat level: Low

Description:

External links used without validation

Technical description:

In file RepoXMLHandler.java, several description items of a repo or app are externally sourced - such as icon, bitcoin wallet, litecoin wallet and donate link. A seemingly harmless app hosted in Fdroid can be used to guide a willing but unsuspecting donor to malicious sites.

Response from developer:Since there is a human review of those URLs, and those URLs are committed to git, we have left those to be open without validation. There are also other URLs like home page, issue tracker, etc. I suppose we should show the full URL in the UI if they don't match a well known pattern.

Impact:

User may be lured to visit malicious web sites/ resources which can lead to social engineering attacks as well as malware installation.

Recommendation:

Documented manual review of external links before accepting a MR/PR/update/patch should be in place, and warning should be displayed to user when they click on the external links.

4.1.38

OTF-038 — Weak pattern matching filter

Vulnerability ID: OTF-038

Vulnerability type: Weak regular expression

Threat level: Low

Description:

Regular expression used for filtering file name entries in zipsigner appears to be permissive.

Technical description:

In zipio/ZipInput.java file, regular expression for file name entries in zipsigner appears to be permissive.

Only '/' character appears to be disallowed. This can be strengthened to not allow special characters such as semi colon, pipe, quotes etc.

Impact:

Potentially, a file name with special characters can trigger OS command injection.

Developer response: I get your concern for other platforms, but shell scripts and exec calls are relatively rare in Android/Java space. The zip library is doing the right thing in terms of handling all valid filenames. So I think this is a hypothetical issue that would apply if some unsafe code did something with the ZIP file.

Recommendation:

Regular expression pattern should be strengthened to not allow special characters such as semi colon, pipe, quotes etc. to avoid OS command injection attacks.

4.2

Non-Findings

In this section we list some of the things that were tried but turned out to
be dead ends.

4.2.1

(fdroid Client) Exploiting the Local Web Server of "Nearby Swap" to Navigate Directories

Tries multiple ways to navigate to local directories and files using the requests to HTTP server opened by Nearby Swap feature.
Apart from icons/ directory, no other directories were accessible.

4.2.2

(fdroid Client) Exploiting Exported Activities and Broadcasts

Attempts were made to exploit the exported component of the application, but no exploitable vulnerability was discovered. Exported components:
org.fdroid.fdroid.views.ManageReposActivity,
org.fdroid.fdroid.AppDetails2,
org.fdroid.fdroid.privileged.install.InstallExtensionBootReceiver,
org.fdroid.fdroid.receiver.StartupReceiver,
org.fdroid.fdroid.receiver.PackageManagerReceiver,
org.fdroid.fdroid.receiver.WifiStateChangeReceiver

4.2.3

(Privilege Extension) Static Analysis of APK

No vulnerabilities were discovered in the static analysis of the apk. Static analysis tests for hardcoded critical information, local storage, logging etc.

Pentest Technical Summary •

5

Future Work

As Fdroid ecosystem grows and new features are added/revamped, it is recommended that Fdroid server and app go through code audit and pen-test periodically, as also when a significant update is made to the code base or when new dependencies are introduced in the ecosystem.

Future Work •

6

Conclusion

Some issues were found in repomaker, however the impact of those are limited by the way repomaker is used. A few significant issues were found in fdroidserver, allowing running code in the build VM, in the fdroid host, and in the browsers of users. These issues are either from quite old code, or from new experimental code. Despite this there is signs of attempting to harden fdroidserver and to deploy defense-in-depth, this is commendable. The defensive mindset is a great asset, keep it up.

Similarly, code audit of Fdroid client/app code and 3rd party dependencies also reveals some high impact and many moderate impact issues which need to be fixed. A few issues, such as use of TOFU and repo-swap features need a redesign for mitigation of the vulnerability.

Significant exploitable issues were reported in Fdroid client pen-test leading to false trust and malicious app installation, along with redirect to malicious sites.

We conclude that given the large number of issues reported, some of which are design issues, Fdroid team should significantly improve the security of Fdroid software (server, repomaker and app) on a high priority.

Conclusion •

Appendix 1

Testing team

Stefan Marsiske

Stefan runs workshops on radare2, embedded hardware, lock-picking, soldering, gnuradio/SDR, reverse-engineering, and crypto topics. In 2015 he scored in the top 10 of the Conference on Cryptographic Hardware and Embedded Systems Challenge. He has run training courses on OPSEC for journalists and NGOs.

Abhinav Mishra

When he hacked the first application while doing his engineering graduation, back in 2009 ... he thought, this is cool.
Now it has been 6+ years and Abhinav has been involved in hacking web, mobile and networks as a penetration tester.
Together with numerous accolades from multiple organization, for responsible disclosures of vulnerabilities.
He is also a part of Synack Red Team and Cobalt core team. Has performed 100+ web, 50+ mobile applications and numerous network penetration tests.

Mahesh Saptarshi

Director, cyberSecurist Technologies. Mahesh is passionate about software security defences. He has performed a large number of pentests of enterprise, web and mobile applications. He has several US patents in the area of high availability and virtual machines technology.

Melanie Rieback

Melanie Rieback is a former Asst. Prof. of Computer Science from the
VU, who is also the co-founder/CEO of Radically Open Security.